From owner-announce-jp@jp.freebsd.org  Sun Jul 16 09:07:51 2000
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id JAA20225;
	Sun, 16 Jul 2000 09:07:51 +0900 (JST)
	(envelope-from owner-announce-jp@jp.FreeBSD.org)
Message-ID: <20000716000749.3314.qmail@smtp.246.ne.jp>
To: announce-jp@jp.FreeBSD.org
Reply-To: doc-jp@jp.freebsd.org
In-Reply-To: <20000705230239.8E2CF37B8B6@hub.freebsd.org>
References: <20000705230239.8E2CF37B8B6@hub.freebsd.org>
X-Mailer: Mew version 1.94.2 on Emacs 19.28 / Mule 2.3 (SUETSUMUHANA)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Date: Sun, 16 Jul 2000 09:07:30 +0900
From: Koga Youichirou <y-koga@jp.freebsd.org>
X-Dispatcher: imput version 20000228(IM140)
X-ML-maintainer: owner-announce-jp@jp.FreeBSD.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+000315
X-Sequence: announce-jp 481
Subject: Re: ANNOUNCE: FreeBSD Security Advisory: FreeBSD-SA-00:24.libedit
Errors-To: owner-announce-jp@jp.freebsd.org
Sender: owner-announce-jp@jp.freebsd.org


 $B$3$N%a!<%k$O(B, announce-jp $B$KN.$l$?(B

  Subject: ANNOUNCE: FreeBSD Security Advisory: FreeBSD-SA-00:24.libedit
  From: FreeBSD Security Advisories <security-advisories@freebsd.org>
  Date: Wed,  5 Jul 2000 16:02:39 -0700 (PDT)
  Message-Id: <20000705230239.8E2CF37B8B6@hub.freebsd.org>
  X-Sequence: announce-jp 465

 $B$rF|K\8lLu$7$?$b$N$G$9(B. 

 $B86J8$O(B PGP $B=pL>$5$l$F$$$^$9$,(B, $B$3$NF|K\8lLu$O(B PGP $B=pL>$5$l$F$$$^$;$s(B. 
 $B%Q%C%AEy$NFbMF$,2~cb$5$l$F$$$J$$$3$H$r3NG'$9$k$?$a$K(B PGP $B$N%A%'%C%/$r(B
 $B9T$J$&$K$O(B, $B86J8$r;2>H$7$F$/$@$5$$(B. 

 $BF|K\8lLu$O(B FreeBSD $BF|K\8l%I%-%e%a%s%F!<%7%g%s%W%m%8%'%/%H(B(doc-jp)$B$,;29M$N(B
 $B$?$a$KDs6!$9$k$b$N$G(B, doc-jp $B$O(B $B$=$NFbMF$K$D$$$F$$$+$J$kJ]>Z$b$$$?$7$^$;$s(B.
 $BF|K\8lLu$K$D$$$F$N$*Ld$$9g$o$;$O(B doc-jp@jp.FreeBSD.org $B$^$G$*4j$$$7$^$9(B.

--($B$3$3$+$i(B)
-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
FreeBSD-SA-00:24                                           Security Advisory
                                                                FreeBSD, Inc.

$B%H%T%C%/(B:	libedit reads config file from current directory

$BJ,N`(B:		core
$B%b%8%e!<%k(B:	libedit
$B9pCNF|(B:		2000-07-05
$B1F6AHO0O(B:	$B=$@5F|$h$jA0$N$9$Y$F$N%P!<%8%g%s$N(B FreeBSD
$B%/%l%8%C%H(B:	Tim Vanderhoek <hoek@FreeBSD.org>
$B%Y%s%@$N%9%F!<%?%9(B:	$BG'<1:Q(B
$B=$@5F|(B:		2000-05-22
FreeBSD $B$K8GM-$+(B:	NO

I.   $BGX7J(B - Background

libedit $B$O(B, $BBPOCE*$J%3%^%s%I;X8~%W%m%0%i%`MQ$K(B, $BF~NO9T$NJT=8$d%R%9%H%j(B
$B5!G=$rDs6!$9$k%i%$%V%i%j$G$9(B. 

II.  $BLdBj$N>\:Y(B - Problem Description

libedit $B$O(B, $B%+%l%s%H%G%#%l%/%H%j$K(B .editrc $B%U%!%$%k$,B8:_$9$k>l9g(B, 
$B8m$C$F$=$l$rFI$_9~$_(B, $B%W%m%0%i%`$NF0:n$r@_Dj$7$F$7$^$$$^$9(B. $B$^$?(B, $B$=$N(B
$B:](B .editrc $B%U%!%$%k$N=jM-<T$r3NG'$7$^$;$s(B. $B$=$N$?$a(B, $BB>$N%f!<%6$,$"$k(B
$B%G%#%l%/%H%j$G(B libedit $B$H%j%s%/$5$l$?%P%$%J%j$r<B9T$9$k(B ($B$?$H$($P(B root 
$B$,(B /tmp $B$+$i(B ftp(1) $B$r<B9T$9$k(B) $B>l9g(B, $B$=$N<B9T;~$N%G%#%l%/%H%j$K$"$i$+(B
$B$8$a(B .editrc $B%U%!%$%k$r:n@.$7$F$*$/$3$H$G(B, $B967b<T$OB>$N%f!<%6$N%-!<%P(B
$B%$%s%I$rG$0U$K:F@_Dj$7$?$j(B, $BC<Kv$N%1!<%Q%S%j%F%#$rJQ99$9$k$3$H$,2DG=$G(B
$B$9(B. $B$3$l$OB>$N%f!<%6$,(B, $B%7%9%F%`$N%;%-%e%j%F%#$r?/$9$h$&$J%W%m%0%i%`$r(B
$B$=$l$H5$$E$+$:$K<B9T$7$F$7$^$&>u67$rM6H/$5$;$kL\E*$GMxMQ$5$l$k2DG=@-$,(B
$B$"$j$^$9(B. $B$?$H$($P(B, ftp(1) $B$K$O%7%'%k$r8F$S=P$7$F%3%^%s%I$r<B9T$9$k5!(B
$BG=$,$"$j$^$9$,(B, $B$3$l$O(B libedit $B$K$h$C$F<B8=$5$l$F$$$^$9(B.

$B$3$3$GDs6!$9$k%Q%C%A$O(B, $BLdBj$H$J$k=hM}$r:o=|$7(B, .editrc $B%U%!%$%k$,B8:_(B
$B$7(B, $B$+$D<B9T%U%!%$%k$,8"8B$r>e>:$5$;$k$3$H$,$J$$>l9g(B ($B$9$J$o$A(B setuid 
$B$d(B setgid $B$5$l$F$$$J$$>l9g(B), libedit $B$,%f!<%6$N%[!<%`%G%#%l%/%H%jG[2<$N(B
$B@_Dj%U%!%$%k$@$1$r;2>H$9$k$h$&$K$7$^$9(B. 

FreeBSD 3.5-RELEASE $B$K$O$3$NLdBj$O$"$j$^$;$s(B. $B$7$+$7(B, 4.0-RELEASE $B$O(B
$B%j%j!<%98e$K$3$NLdBj$,H/8+$5$l$?$?$a(B, $B$3$NLdBj$K$h$k1F6A$,$"$j$^$9(B. 

III. $B1F6AHO0O(B - Impact

$B%f!<%6$,%W%m%0%i%`$r<B9T$9$k%G%#%l%/%H%j$,!"967b<T$K$h$C$F=q$-9~$_2DG=(B
$B$G$"$k>l9g(B, $B967b<T$OG$0U$N%3%^%s%I(B ($BLuCm(B: $B%W%m%0%i%`$,Ds6!$9$kBPOCE*$J(B
$B%3%^%s%I(B) $B$r<B9T$5$;$k$3$H$,$G$-$^$9(B. (root $B$N$h$&$J(B) $BFC8"%f!<%6$G$=$N(B
$B%W%m%0%i%`$r<B9T$9$k$H(B, $B%7%9%F%`$,4m81$K$J$k2DG=@-$,$"$j$^$9(B. 

IV.  $BBP1~:v(B - Workaround

$BB>$N%f!<%6$,=q$-9~$_2DG=$J%G%#%l%/%H%j$G(B, libedit $B$r%j%s%/$7$F$$$k%f!<(B
$B%F%#%j%F%#$rBPOCE*$K<B9T$7$J$$$h$&$K$9$k(B. 

libedit $B$rF0E*$K%j%s%/$7$F$$$k%f!<%F%#%j%F%#$r3NG'$9$k$?$a$K(B, libfind 
$B$H$$$&%D!<%k$H$=$N(B PGP $B=pL>$r%@%&%s%m!<%I$7(B, PGP $B%f!<%F%#%j%F%#$r;HMQ(B
$B$7$F(B, PGP $B=pL>$H>H9g$7$^$9(B. 

# fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:24/libfind.sh
# fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:24/libfind.sh.asc

root $B8"8B$G(B libfind.sh $B%D!<%k$r<B9T$7$^$9(B. 

# sh libfind.sh libedit /

$B@EE*$K(B libedit $B$,%j%s%/$5$l$?%f!<%F%#%j%F%#$K$D$$$F$O(B, $B$=$N$h$&$J%P%$(B
$B%J%j$r8+$D$1$k$?$a$NJ8;zNs$,Kd$a9~$^$l$F$$$J$$$N$G8+$D$1$k$3$H$,$G$-$J(B
$B$$$3$H$KCm0U$,I,MW$G$9(B. $B$7$+$70J2<$N%j%9%H$O(B, $B@EE*$^$?$OF0E*$K(B libedit 
$B$,%j%s%/$5$l$F$$$k(B FreeBSD $B%7%9%F%`$N%f!<%F%#%j%F%#$N40A4$J%j%9%H$G$"(B
$B$k$H;W$$$^$9(B. 

/bin/sh
/sbin/fsdb
/usr/bin/ftp
/usr/sbin/cdcontrol
/usr/sbin/lpc
/usr/sbin/nslookup
/usr/sbin/pppctl

libedit $B$ODL>o$N;HMQ$K$*$$$F%]!<%?%V%k$J%i%$%V%i%j$G$O$"$j$^$;$s$N$G(B, 
$B$3$l$r@EE*$K%j%s%/$7$F$$$k$h$&$J(B FreeBSD ports $B$O$"$^$j$J$$$H;W$o$l$^(B
$B$9(B ($B8=;~E@$G$O(B, $B$=$N$h$&$J(B ports $B$O3NG'$5$l$F$$$^$;$s(B). 

V.   $B=$@5=hCV(B - Solution

$B0J2<$N$$$:$l$+$r9T$J$C$F$/$@$5$$(B. 

1) $B<eE@$N$"$k%7%9%F%`$r(B, $B=$@5F|0J9_$N%P!<%8%g%s$K%"%C%W%0%l!<%I$9$k(B. 

2) $BK\4+9p$r%U%!%$%k$KJ]B8$9$k$+(B, $B0J2<$N(B URL $B$+$i%Q%C%A$H$=$N(BPGP $B=pL>$r(B
$B%@%&%s%m!<%I$7(B, PGP $B%f!<%F%#%j%F%#$r;HMQ$7$F(B PGP $B=pL>$H>H9g$7$^$9(B. 

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:24/libedit.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:24/libedit.patch.asc

$B%Q%C%A$rE,MQ$7(B, $B0J2<$N$h$&$K$7$F:F9=C[$7$^$9(B. 

# cd /usr/src/lib/libedit
# patch -p < /path/to/patch/or/advisory

$B0J2<$N%Z!<%8$K$7$?$,$C$F%7%9%F%`$r:F9=C[$7$^$9(B. 

http://www.freebsd.org/handbook/makeworld.html

    --- el.c	1999/08/20 01:17:12	1.6
    +++ el.c	2000/05/22 05:55:22	1.7
    @@ -290,13 +294,10 @@
         char *ptr, path[MAXPATHLEN];
     
         if (fname == NULL) {
    -	fname = &elpath[1];
    -	if ((fp = fopen(fname, "r")) == NULL) {
    -	    if (issetugid() != 0 || (ptr = getenv("HOME")) == NULL)
    -		return -1;
    -	    (void)snprintf(path, sizeof(path), "%s%s", ptr, elpath);
    -	    fname = path;
    -	}
    +	if (issetugid() != 0 || (ptr = getenv("HOME")) == NULL)
    +	    return -1;
    +	(void) snprintf(path, sizeof(path), "%s%s", ptr, elpath);
    +	fname = path;
         }
     
         if ((fp = fopen(fname, "r")) == NULL)
    
